set sandbox nice value

README.md

@@ -68,4 +68,14 @@ The  current netfilter configuration (--netfilter option) looks like this:
 The filter is loaded by default for Firefox if a network namespace is configured:
 `````
 $ firejail --net=eth0 firefox
-`````
+`````
+
+## Set sandbox nice value
+`````
+      --nice=value
+              Set nice value for all processes running inside the sandbox.
+
+              Example:
+              $ firejail --nice=-5 firefox
+`````
+

RELNOTES

@@ -2,6 +2,7 @@ firejail (0.9.39) baseline; urgency=low
   * work in progress!
   * default seccomp filter update
   * disable STUN/WebRTC in default netfilter configuration
+  * added --nice optoin
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Tue, 8 Feb 2016 10:00:00 -0500
 

src/firejail/firejail.h

@@ -157,8 +157,9 @@ typedef struct config_t {
 	unsigned rlimit_fsize;
 	unsigned rlimit_sigpending;
 	
-	// cpu affinity and control groups
+	// cpu affinity, nice and control groups
 	uint32_t cpus;
+	int nice;
 	char *cgroup;
 	
 
@@ -231,6 +232,7 @@ extern int arg_nosound;	// disable sound
 extern int arg_quiet;		// no output for scripting
 extern int arg_join_network;	// join only the network namespace
 extern int arg_join_filesystem;	// join only the mount namespace
+extern int arg_nice;		// nice value configured
 
 extern int parent_to_child_fds[2];
 extern int child_to_parent_fds[2];

src/firejail/main.c

@@ -92,7 +92,7 @@ int arg_nosound = 0;				// disable sound
 int arg_quiet = 0;				// no output for scripting
 int arg_join_network = 0;			// join only the network namespace
 int arg_join_filesystem = 0;			// join only the mount namespace
-
+int arg_nice = 0;				// nice value configured
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -678,6 +678,10 @@ int main(int argc, char **argv) {
 			arg_ipc = 1;
 		else if (strncmp(argv[i], "--cpu=", 6) == 0)
 			read_cpu_list(argv[i] + 6);
+		else if (strncmp(argv[i], "--nice=", 7) == 0) {
+			cfg.nice = atoi(argv[i] + 7);
+			arg_nice = 1;
+		}
 		else if (strncmp(argv[i], "--cgroup=", 9) == 0) {
 			if (arg_cgroup) {
 				fprintf(stderr, "Error: only a cgroup can be defined\n");

src/firejail/profile.c

@@ -290,6 +290,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	
+	// nice value
+	if (strncmp(ptr, "nice ", 4) == 0) {
+		cfg.nice = atoi(ptr + 5);
+		arg_nice = 1;
+		return 0;
+	}
+
 	// cgroup
 	if (strncmp(ptr, "cgroup ", 7) == 0) {
 		set_cgroup(ptr + 7);

src/firejail/sandbox.c

@@ -27,6 +27,7 @@
 #include <sys/resource.h>
 #include <sys/types.h>
 #include <dirent.h>
+#include <errno.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -582,6 +583,18 @@ int sandbox(void* sandbox_arg) {
 	// set user-supplied environment variables
 	env_apply();
 
+	// set nice
+	if (arg_nice) {
+		errno = 0;
+		int rv = nice(cfg.nice);
+		(void) rv;
+printf("nice rv %d\n", rv);		
+		if (errno) {
+			fprintf(stderr, "Warning: cannot set nice value\n");
+			errno = 0;
+		}
+	}
+	
 	//****************************
 	// set security filters
 	//****************************

src/firejail/usage.c

@@ -178,6 +178,7 @@ void usage(void) {
 	printf("\t--netstats - monitor network statistics for sandboxes creating a new\n");
 	printf("\t\tnetwork namespace.\n\n");
 #endif
+	printf("\t--nice=value - set nice value\n\n");
 	printf("\t--noblacklist=dirname_or_filename - disable blacklist for directory\n");
 	printf("\t\tor file.\n\n");
 	printf("\t--nogroups - disable supplementary groups. Without this option,\n");

src/man/firejail-profile.txt

@@ -228,6 +228,10 @@ Set the CPU cores available for this sandbox using \fBcpu\fR command. Examples:
 cpu 1,2,3
 Use only CPU cores 0, 1 and 2.
 
+.TP
+nice -5
+Set a nice value of -5 to all processes running inside the sandbox.
+
 .SH Control Groups
 Place the sandbox in an existing control group specified by the full path of the task file using \fBcgroup\fR. Example:
 

src/man/firejail.txt

@@ -761,6 +761,16 @@ PID  User    RX(KB/s) TX(KB/s) Command
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
 
+.TP
+\fB\-\-nice=value
+Set nice value for all processes running inside the sandbox.
+.br
+
+.br
+Example:
+.br
+$ firejail --nice=-5 firefox
+
 
 .TP
 \fB\-\-noblacklist=dirname_or_filename

test/nice.exp

@@ -0,0 +1,80 @@
+#!/usr/bin/expect -f
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --nice=15\r"
+expect {
+	timeout {puts "TESTING ERROR 0\n";exit}
+	"Child process initialized"
+}
+sleep 1
+
+send -- "top -b -n 1\r"
+expect {
+	timeout {puts "TESTING ERROR 1\n";exit}
+	"netblue"
+}
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"15"
+}
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"bash"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"netblu"
+}
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"15"
+}
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"top"
+}
+
+sleep 1
+send -- "exit\r"
+sleep 1
+
+send -- "firejail --profile=nice.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 10\n";exit}
+	"Child process initialized"
+}
+sleep 1
+
+send -- "top -b -n 1\r"
+expect {
+	timeout {puts "TESTING ERROR 11\n";exit}
+	"netblue"
+}
+expect {
+	timeout {puts "TESTING ERROR 12\n";exit}
+	"15"
+}
+expect {
+	timeout {puts "TESTING ERROR 13\n";exit}
+	"bash"
+}
+expect {
+	timeout {puts "TESTING ERROR 14\n";exit}
+	"netblu"
+}
+expect {
+	timeout {puts "TESTING ERROR 15\n";exit}
+	"15"
+}
+expect {
+	timeout {puts "TESTING ERROR 16\n";exit}
+	"top"
+}
+
+
+
+puts "\nall done\n"
+

test/nice.profile

@@ -0,0 +1 @@
+nice 15

test/test.sh

@@ -6,6 +6,9 @@
 
 ./fscheck.sh
 
+echo "TESTING: nice"
+./nice.exp
+
 echo "TESTING: protocol"
 ./protocol.exp